JVN#34977158
WordPress plugins "WP Tweet Walls" and "Sola Testimonials" vulnerable to cross-site request forgery
Overview
WordPress plugins "WP Tweet Walls" and "Sola Testimonials" provided by Sola Plugins contain a cross-site request forgery vulnerability.
Products Affected
CVE-2024-38344
- WP Tweet Walls versions prior to 1.0.4
- Sola Testimonials/Super Testimonials versions prior to 3.0.0
Description
WordPress plugins "WP Tweet Walls" and "Sola Testimonials" provided by Sola Plugins contain a cross-site request forgery vulnerability (CWE-352).
Impact
While a user logs in to the WordPress site where the affected plugin is enabled, accessing a malicious page may make the user perform unintended operations on the WordPress site.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Sola Testimonials was updated to version 3.0.0 and renamed to Super Testimonials in November, 2020.
Vendor Status
| Vendor | Link |
| Sola Plugins | WP Tweet Walls – WordPress plugin | WordPress.org |
| Super Testimonials – WordPress plugin | WordPress.org |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
These vulnerabilities are reported by the following reporters, and
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2024-38344: Yuya Asato of GMO Cybersecurity by Ierae, Inc.
CVE-2024-38345: Yuta Takanashi
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
|
CVE-2024-38344 |
|
|
CVE-2024-38345 |
|
| JVN iPedia |
JVNDB-2024-000066 |